MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1c2c3bdce253290795062ea0e45635b31b90ae4578bed99cfd2daac211784a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a1c2c3bdce253290795062ea0e45635b31b90ae4578bed99cfd2daac211784a9
SHA3-384 hash: b5af7a31b7ccaae5e608398f6606f20243d910187e1885ee84a6141081ce625cdcc148842b0acaca73fe2e580717e583
SHA1 hash: 83f1de26471083fb2e92fabb225030c44a13f6e8
MD5 hash: d0f66250a9954eab53228ea79190194b
humanhash: glucose-spring-solar-kentucky
File name:jiefeng.exe
Download: download sample
File size:7'046'699 bytes
First seen:2024-06-22 15:02:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 027ea80e8125c6dda271246922d4c3b0 (10 x njrat, 7 x DCRat, 5 x DarkComet)
ssdeep 196608:ag3+RezHSLpMu+d878HJHAt4MH3PkerYBQyIyD:aycpMu+ScJgeMXPk0YBQyD
TLSH T16D6633613DC0E033E0A48431691BEB597179B4708D73CECA67809E6A99F81F6E778D62
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4504/4/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon cdabae6fe6e7eaec (20 x Amadey, 9 x AurotunStealer, 8 x CoinMiner)
Reporter mautshim
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
388
Origin country :
ID ID
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a1c2c3bdce253290795062ea0e45635b31b90ae4578bed99cfd2daac211784a9.exe
Verdict:
Malicious activity
Analysis date:
2024-06-22 15:05:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/937578d2-5109-4427-b3f2-422346807844

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6676e7a90591661c2a1fb348win7simulatehigh_evasion
Tags:
Banker Encryption Execution Generic Network Other Static Stealth Dexter
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/a1c2c3bdce253290795062ea0e45635b31b90ae4578bed99cfd2daac211784a9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Khalesi
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cf514b62-8fee-4b29-a385-17cd11021675
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1461113
Signature
Antivirus detection for dropped file
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Sample is not signed and drops a device driver
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1461113 Sample: jiefeng.exe Startdate: 22/06/2024 Architecture: WINDOWS Score: 84 27 Antivirus detection for dropped file 2->27 29 Multi AV Scanner detection for dropped file 2->29 31 Multi AV Scanner detection for submitted file 2->31 33 3 other signatures 2->33 8 jiefeng.exe 3 18 2->8         started        process3 file4 19 C:\bak\jf\winspool.drv, PE32 8->19 dropped 21 C:\bak\jf\amigendrv64.sys, PE32+ 8->21 dropped 23 C:\bak\jf\amifldrv64.sys, PE32+ 8->23 dropped 25 6 other files (5 malicious) 8->25 dropped 35 Sample is not signed and drops a device driver 8->35 12 wscript.exe 1 8->12         started        signatures5 process6 signatures7 37 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->37 15 cmd.exe 1 1 12->15         started        process8 process9 17 conhost.exe 15->17         started       
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a1c2c3bdce253290795062ea0e45635b31b90ae4578bed99cfd2daac211784a9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a1c2c3bdce253290795062ea0e45635b31b90ae4578bed99cfd2daac211784a9/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-06-22 15:03:08 UTC
File Type:
PE (Exe)
Extracted files:
94
AV detection:
17 of 24 (70.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uhbmhpooeuzja6kqmlva4rldlmy3scxek6f63gop2lnkyiixqsuq._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/240622-se1xxasdmf/
Behaviour
Modifies registry class
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Unpacked files
SH256 hash:
80ab0b86de58a657956b2a293bd9957f78e37e7383c86d6cd142208c153b6311
MD5 hash:
e8a2190a9e8ee5e5d2e0b599bbf9dda6
SHA1 hash:
4e97bf9519c83835da9db309e61ec87ddf165167
Link:
https://www.unpac.me/results/e6f80f40-a53c-4b68-a426-37712d94dc3f/
SH256 hash:
73da54b69911bdd08ea8bbbd508f815ef7cfa59c4684d75c1c602252ec88ee31
MD5 hash:
7bec181a21753498b6bd001c42a42722
SHA1 hash:
3249f233657dc66632c0539c47895bfcee5770cc
Link:
https://www.unpac.me/results/e6f80f40-a53c-4b68-a426-37712d94dc3f/
SH256 hash:
38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20
MD5 hash:
119f0656ab4bb872f79ee5d421e2b9f9
SHA1 hash:
e35969966769e7760094cbcffb294d0d04a09db6
Detections:
PUA_VULN_Driver_Windowsrwinddkprovider_Amifldrvsys_Windowsrwinddkdriver_38D8
Create hunting rule
Link:
https://www.unpac.me/results/e6f80f40-a53c-4b68-a426-37712d94dc3f/
SH256 hash:
2c67fb6eb81630c917f08295e4ff3b5f777cb41b26f7b09dc36d79f089e61bc4
MD5 hash:
64ae4aa4904d3b259dda8cc53769064f
SHA1 hash:
24be8fb54afd8182652819b9a307b6f66f3fc58d
Link:
https://www.unpac.me/results/e6f80f40-a53c-4b68-a426-37712d94dc3f/
SH256 hash:
20f11a64bc4548f4edb47e3d3418da0f6d54a83158224b71662a6292bf45b5fb
MD5 hash:
0dff47f3b14fb1c1bad47cc517f0581a
SHA1 hash:
db3538f324f9e52defaba7be1ab991008e43d012
Link:
https://www.unpac.me/results/e6f80f40-a53c-4b68-a426-37712d94dc3f/
SH256 hash:
153c80bc09d87e5dd0dfd8ae1fb4e43c45d41ab80a432fda3129752d924a53c4
MD5 hash:
308058dfd092f4ebf1099a89940e19d5
SHA1 hash:
91e62c9a06a7581aabd7c4560b8a5d60ccd07e65
Link:
https://www.unpac.me/results/e6f80f40-a53c-4b68-a426-37712d94dc3f/
SH256 hash:
149530feddbdaf881e9afbe397b0da3f0b165cba2d249bc94855c1734b54c1e8
MD5 hash:
0a4fb3fd269089be341dcaa32fe96fbb
SHA1 hash:
5cbcedf375914b07bd33de592c156a7a9b045084
Link:
https://www.unpac.me/results/e6f80f40-a53c-4b68-a426-37712d94dc3f/
SH256 hash:
4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b
MD5 hash:
1898ceda3247213c084f43637ef163b3
SHA1 hash:
d04e5db5b6c848a29732bfd52029001f23c3da75
Detections:
PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4429
Create hunting rule
Link:
https://www.unpac.me/results/e6f80f40-a53c-4b68-a426-37712d94dc3f/
Parent samples :
d16e147eaf8a76ab283053889fff5074b75af230f52f7197765363b22fc82445
e4f0fa3c70a4c20e7f79ac8e0c0c7b3e58e97a8e9d42274d51a54ebf9e8da5e4
d678623c64c737fd9c8372c8e67b9fcc536845c358626065fa92e40f5fe6c6c8
04cbe1f69bcd1cb359b78e2a7029fe296e3a50020a044cd297b9cce59560b794
d0223dec05ad601e9f2f18b4a539a7e7734966835c5d36dbc9dfcdcb346a20c7
1d679b6434ca87e87c226ff908f19221a09a885d1c0a33f8c868e5d45a440e7f
2a9e2f0f019399b393354db70af0cfabda83f87251943db7d93e50e716c824fb
a1c2c3bdce253290795062ea0e45635b31b90ae4578bed99cfd2daac211784a9
dd571e92f0c0c4fce65805d39e7af60e1655a1130d29fe17de97ccac1a13f605
c650e238437e0f95b1c5b32f7188b8ade8cb73e26cf624446ef410c6cf61c069
e00dd7eb22f4c0edd534efd84e64dd0129826b4175697e925ebb551b5a33421f
62404758252b994da1b60c819fa8cbf1b6a884cd001939479a90ba4c52585363
b22a8e33c9ef66da4d9b2e087be276965340c8320bd4eb334ec1757c8df33ff7
d79de2edd86c1c07b39eb3d113adf40719fbf3b5d60f6ffd39aeb356c2d175aa
b13f23643fddce3f41b6908a00051b6688788668c81d698994c140bf6290c2d6
2d0a9d5ca563ffa82a974903bb43411b22c863311ec926449f08d16f483e4e70
9b2e6a46fde02906b7865bb6629cb5b25c53c5ff6a0c0cdf4ffdc7f7961582c2
a2a67ec1404b2fe5decf5ea86de316f8a2ca775480deab3eed28b8b0b2c34ab5
0c0233485fb1b4a83c8e73d889f2bd21c5b4271b63e8343625412d97cf6ddc81
dca8a2e66bfa8f85d89ca6885a68482a5e85028794a71a385819ae9d832adae4
196716eef9fca584f75ec1100956fc2d34edbe1f3e896003e2c19df32be6196a
0264425d27b1b4442f6a6d25c4634b9dca471f56bffb03bd450ec5c0bd93e7c2
b920dc19a2317f619a9d7af0935eb05b07442d2ae77f1482bd883a086a9c0513
f54d45ee37b7f40b3ae34ac11476c6d25f2a780cdc02472a3f247b7c9af9e143
27abe6f4dc371d7e7008dc5c4b079d85f6e2c5b583b2fd831674186e92d583fd
59f55834d9aec7059e957c376af57f71a8028d057b194a5567d1d95b4d7d4f6e
4a215059825f792fcb384de29a3301f3bb8422e5fa56a20e253b94ce754d6908
7d7f580de5a46d90941ed4c7db9ac24e0117a957614324647d6c528b7d2f1833
538657e0e69a3e37da94646672537f3c7764a81d0b0896c7305f06f799245d92
399fe041d19c3c4ce98036ee725529632aff01e9b0811c11104595589a05c7fa
d4f5c92d2602f114b7269eee1157c290d2f70efca5093f2b5d67cd526eb5f8e8
7b4ca5b780438bef6eca1d5241c5a5f9afbed7e9eacc62300c5ac64fe9e1030a
0e053da640e325971896b97f0993fbb17dd010bdc9625ca6fa4ee64c4a5f018a
5fe667b5af59c9e890f8af1049d74528ee5297c7c85036661b0cce4877ab31e5
06833640b01d9b8dcbc8001f0ff1cbc3aaa4ba1d45e08238c076b0d0d477c966
0071fd8f074a69e3145106a3a8607844e5bdafe96ad70e307d5b54c0094a0103
fc0b9e5219835acdeb8e214b62f7a77e5e55e301ae0ee78ab5e675db4a85a33b
127d87a19b7a864d8ae9b35d6d8bc81a045eb2bd43fde28d5e61d97a9f1474a6
02181904ce4b61dd19e156cc2526c36cfae46f71989c15bb3c702bd4a71adbf7
a94803828cc2bd2c4260988832d8f297b4e3eeb96f2e0a86162cc92e619159c3
48792c7901988e612893594b411a6fcb59bbff7120d63b56cbb6f9398289b057
45223efdb6920807e0a7e2e28f6b917a4a135066322df39d0af69b1a5901b49d
420e1fbd47a217f18c2729e90df4b85ac06eae21086f3af90aa38642330d5f2e
2117a22f49cc2ec80da587c770f589b16a9cbcae1a02f4758d7319535a2304d6
83b93149729486bc665fd9529751f10a0f8a46e38f06476513b2a4641e4dad33
4d7516db2c2d3fd58db5c64828949adabb51fdd418d4fc8463f4dfb63b481745
796ce4b47053840598f355fad26bd775c850a485110426656eb90607a9018b12
03445008471daab6eb3158ba4c315a89941c69e6f1714394035fcdd18472b00b
291977390ed9da8791a2395429c6040ba437de103c6215d80052d583221db9d2
b443722fd7616de2c14017ab001952c4c3bde2abd880d6dd9c5910b630d2a8a3
52e8478bb2c7ee6ccbf05f9154ac4b7619b4d986aec5e41bbd8fa752f37040a2
f3849196b9947151a7c448c51009aca0ed466ed5f21cbe9da91f8e102f8cabb9
5b4b87990e0594222c90e5328acbcc64216d96bdcac3f8b0c1aeabe904c271ca
6212a4504cbcd03e7a716176a2ad61f5babd186ca43e253a6a9362b03f027881
128bb9210cdffc2ff7cc0b5514d9feaf5ad831b575ec9c90c602f29349ee5bbb
bbd51ae9353f96a2b4c1e8b8b69b60c3d0eada919b117f0de1116d9df19424f0
2cb584856d1f4a98264a9a41327b46823442fdf89e5b07efb9e4424549bcf7f1
eaf427092f4af72f583dad5fb56f43406dac9f9ba1a0f8324da83c504f19c652
4b16f3423431cfa440d320d6ff2dd591bfbcef6d13a31408db9af233ad8509cd
4ee3ad4e4e7e262f5dd917322ab8a04f8d0afcfc05b3093230bd9ff7cca1a56d
5e81a10955625aa89a20e04d88b83ff4ac03340bae44f4be0968020881965575
87ca3126a867be0597b75c338dd0324a5d4625fb54d34efc6082161b3dc2e744
15c0f6587e713de3cc2a87d01f4ef228ed6998b16ba6249b2238084f8a03ec32
404a9091fe42a3f8abae045fbb2a26e111a00d1af5103725e6199e2d5b8a5cb1
e5c60f1bd2f095b0d7add0b28abfb90ec9f4b89f3b1acf0844d7296241633f0f
40baa97b2e3c456d1597454d2e85715f5205033ad6998938ec3486695f5e1648
8cfb19c6297c02e5b02721980466f0a0af273767dea2de89a4d5b397782a8dc3
bdf853881bf56cac5d25fb6c2d1b0ff02fab450d57a66d39d4770c2117e7b9ae
1ee19ca2ed68e72acdb37d1c30bef464a330f66156830b61eca61f2dc432b274
bab174472415c490df238b18e14a22162daff026bbe828d2375f0107be662c4f
df66645cb25a87f72bdac4ee457e8b22aff036c2c6c2d3f1073088a96ecc1058
ba160a62755295ba6e21d3d4b0188ed8913497271b9af9891709a2d2840ad1e5
1d05c32d38227623d5fdd3a1d13a82e5a55b015573955de7fb3a4e6ada564031
5d53d190c150a8f0efb04cdfd9f607d0cd30452eb1c9e5b59a97d137dd47ecb5
fb7e616458509e23902258b7679d2c3959cee8ebf03f77d0a443828394f2057f
dffbd774b50dd2319bff54a998b59872b1a5a2b7dcab844e7e0e6d00bd428af3
d13a59eb615e8939ec8c815a6fae8c48ca14ee11aaddc1852701461f4a69d6f9
60f044a9155db76cb1da5d910e976654e4998828647e6ec0ff8e6b09776e94ac
00e0fcfaa4beae4ea437bead66cdbeebfcb4f4cf203901847d515c2579e8ec35
8822e22d3710e18e50c34361ecc837557f5fe22c5cdf24cfea2575e77309c36b
SH256 hash:
a1c2c3bdce253290795062ea0e45635b31b90ae4578bed99cfd2daac211784a9
MD5 hash:
d0f66250a9954eab53228ea79190194b
SHA1 hash:
83f1de26471083fb2e92fabb225030c44a13f6e8
Link:
https://www.unpac.me/results/e6f80f40-a53c-4b68-a426-37712d94dc3f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a1c2c3bdce253290795062ea0e45635b31b90ae4578bed99cfd2daac211784a9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe a1c2c3bdce253290795062ea0e45635b31b90ae4578bed99cfd2daac211784a9

(this sample)

  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments